HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malware‑as‑a‑Service Kit Enables Full Android Device Takeover (BTMOB RAT)

A $5,000 lifetime license gives attackers a point‑and‑click kit to build malicious Android apps, launch phishing‑driven installations, and gain full remote control of devices. The service lowers the skill barrier, expanding the threat landscape for any organization with a mobile workforce.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Malware‑as‑a‑Service Kit Enables Full Android Device Takeover (BTMOB RAT)

What Happened – A new Android Remote Access Trojan (RAT) called BTMOB is sold as a point‑and‑click kit. For a $5,000 lifetime license, buyers receive an integrated APK builder that creates malicious apps, custom phishing lures, and region‑specific campaigns without writing code. The payload abuses Android Accessibility Services to gain elevated permissions, exfiltrate data, capture screens, and give attackers remote control.

Why It Matters for TPRM

  • The MaaS model lowers the technical barrier, expanding the pool of potential threat actors that could target your employees’ mobile devices.
  • Compromised Android devices can be leveraged to steal corporate credentials, access VPN clients, and exfiltrate sensitive business data.
  • The kit’s rapid localization means any organization with a global mobile workforce is at risk of targeted phishing campaigns.

Who Is Affected

  • All industries with a mobile workforce (finance, healthcare, retail, technology, etc.).
  • Vendors providing Android‑based applications, mobile device management (MDM) solutions, and endpoint security services.

Recommended Actions

  • Review and tighten mobile security policies, especially regarding app installation from unknown sources.
  • Enforce strict controls on Android Accessibility Services and require MDM enforcement of app whitelisting.
  • Conduct phishing awareness training focused on malicious app downloads and fake app stores.
  • Verify that third‑party vendors handling mobile devices have robust detection and response capabilities for RAT activity.

Technical Notes

  • Attack Vector: Phishing messages that redirect victims to a counterfeit app store, followed by automatic exploitation of Android Accessibility Services.
  • Capabilities: Full device takeover, screen capture, audio recording, data exfiltration, remote command execution.
  • Business Model: Malware‑as‑a‑Service (MaaS) with a $5,000 lifetime license plus monthly support; sold via Telegram, X, and Instagram.
  • Related Malware: Evolves from SpySolr (early 2025).

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192846/malware/btmob-rat-gives-criminals-a-point-and-click-kit-to-take-over-your-android-phone.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →